Unable to create a ROSA cluster due to InvalidClientTokenId

Solution Verified - Updated -

Environment

  • Red Hat OpenShift Service on AWS (ROSA 4)

Issue

  • ROSA cluster creation command returns the following message:
E: Error creating aws client for stack validation: InvalidClientTokenId: The security token included in the request is invalid.
    status code: 403, request id: <some-random-id>
  • Same message is received when running aws sts get-caller-identity:
An error occurred (InvalidClientTokenId) when calling the GetCallerIdentity operation: The security token included in the request is invalid.

Resolution

The issue appears to be related to the AWS credentials. The .aws/credentials file contains aws_access_key_id and aws_secret_access_key. The credentials and config file are updated when you run the command aws configure command. The credentials file is located at ~/.aws/credentials on Linux or macOS, or at C:\Users\USERNAME\.aws\credentials on Windows.

To resolve this issue, please delete ~/.aws/credentials file and re-run aws configure. Before running aws configure command, you need to create a new access key pair for the IAM user and use this key to setup your AWS CLI.

$ aws configure
AWS Access Key ID [****************JJGD]:
AWS Secret Access Key [****************JRha]:
Default region name [ap-southeast-2]:
Default output format [table]:

Once you have configured the AWS CLI using the newly created key pair, verify your access with the help of below command:

$ aws iam list-access-keys

The output should look like this:

{
    "AccessKeyMetadata": [
        {
            "UserName": "xxxxxxxxx",
            "AccessKeyId": "AKIATRxxxxxxxx26JJGD",
            "Status": "Active",
            "CreateDate": "2023-06-07T21:42:59+00:00"
        }
    ]
}

After verifying your access, try installing your ROSA cluster again.

Root Cause

The security token included in the request is invalid is standard AWS error that the rosa CLI has triggered while trying to authenticate with AWS. The message E: Error creating AWS client: InvalidClientTokenId suggests that the rosa CLI cannot create an AWS client as the security token included in the request is invalid.

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments